mirrors/u-boot
1
0
Fork 0
mirror of https://source.denx.de/u-boot/u-boot.git synced 2025-08-25 00:21:28 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity
u-boot/cmd
History
Nicolas Iooss 8f8c04bf1e i2c: fix stack buffer overflow vulnerability in i2c md command 
When running "i2c md 0 0 80000100", the function do_i2c_md parses the
length into an unsigned int variable named length. The value is then
moved to a signed variable:

    int nbytes = length;
    #define DISP_LINE_LEN 16
    int linebytes = (nbytes > DISP_LINE_LEN) ? DISP_LINE_LEN : nbytes;
    ret = dm_i2c_read(dev, addr, linebuf, linebytes);

On systems where integers are 32 bits wide, 0x80000100 is a negative
value to "nbytes > DISP_LINE_LEN" is false and linebytes gets assigned
0x80000100 instead of 16.

The consequence is that the function which reads from the i2c device
(dm_i2c_read or i2c_read) is called with a 16-byte stack buffer to fill
but with a size parameter which is too large. In some cases, this could
trigger a crash. But with some i2c drivers, such as drivers/i2c/nx_i2c.c
(used with "nexell,s5pxx18-i2c" bus), the size is actually truncated to
a 16-bit integer. This is because function i2c_transfer expects an
unsigned short length. In such a case, an attacker who can control the
response of an i2c device can overwrite the return address of a function
and execute arbitrary code through Return-Oriented Programming.

Fix this issue by using unsigned integers types in do_i2c_md. While at
it, make also alen unsigned, as signed sizes can cause vulnerabilities
when people forgot to check that they can be negative.

Signed-off-by: Nicolas Iooss <nicolas.iooss+uboot@ledger.fr>
Reviewed-by: Heiko Schocher <hs@denx.de>
2022-06-28 15:51:56 -04:00
..
arm
cmd: exception: arm64: fix undefined, add faults
2022-03-02 13:59:29 -05:00
broadcom
global: Convert simple_strtoul() with hex to hextoul()
2021-08-02 13:32:14 -04:00
mvebu
cmd: mvebu: Hide bubt specific options when bubt is disabled
2022-05-16 11:31:33 +02:00
riscv
cmd/sbi: add implementation ID 6 - Coffer
2022-05-26 18:37:55 +08:00
sandbox
cmd: sandbox: implement exception command
2020-12-13 07:58:17 -07:00
ti
global: Convert simple_strtoul() with decimal to dectoul()
2021-08-02 13:32:14 -04:00
x86
Merge https://source.denx.de/u-boot/custodians/u-boot-x86
2021-08-02 21:35:50 -04:00
.gitignore
cmd: rework "license" command
2017-02-08 15:56:28 -05:00
ab_select.c
part: Support getting whole disk from part_get_info_by_dev_and_name_or_num
2021-02-26 15:30:55 +01:00
abootimg.c
global: Convert simple_strtoul() with hex to hextoul()
2021-08-02 13:32:14 -04:00
acpi.c
acpi: Fix buffer overflow in do_acpi_dump()
2022-04-29 11:11:36 -04:00
adc.c
cmd: simplify do_adc_single()
2022-05-05 15:06:02 -04:00
addrmap.c
cmd: Add a command to display the address map
2021-03-05 10:25:43 +05:30
adtimg.c
global: Convert simple_strtoul() with hex to hextoul()
2021-08-02 13:32:14 -04:00
aes.c
global: Convert simple_strtoul() with hex to hextoul()
2021-08-02 13:32:14 -04:00
armflash.c
global: Convert simple_strtoul() with hex to hextoul()
2021-08-02 13:32:14 -04:00
avb.c
global: Convert simple_strtoul() with decimal to dectoul()
2021-08-02 13:32:14 -04:00
axi.c
global: Convert simple_strtoul() with decimal to dectoul()
2021-08-02 13:32:14 -04:00
bcb.c
cmd: bcb: fix bcb struct alignment issue
2022-02-05 15:49:00 +01:00
bdinfo.c
video: Drop references to CONFIG_VIDEO et al
2022-03-28 20:17:07 +02:00
bind.c
cmd: bind: Fix driver binding on a device
2021-10-12 14:19:52 +02:00
binop.c
global: Convert simple_strtoul() with decimal to dectoul()
2021-08-02 13:32:14 -04:00
blk_common.c
global: Convert simple_strtoul() with decimal to dectoul()
2021-08-02 13:32:14 -04:00
blkcache.c
cmd:Elaborate 'blkcache' cmd HELP statement
2021-08-04 15:58:31 -04:00
blob.c
global: Convert simple_strtoul() with hex to hextoul()
2021-08-02 13:32:14 -04:00
bloblist.c
cmd: Add missing check for CONFIG_SYS_LONGHELP
2021-03-27 15:04:30 +13:00
bmp.c
video: Drop references to CONFIG_VIDEO et al
2022-03-28 20:17:07 +02:00
boot.c
cmd: boot: Update reset usage message
2021-08-26 08:08:11 +02:00
bootcount.c
command: Remove the cmd_tbl_t typedef
2020-05-18 18:36:55 -04:00
bootdev.c
bootstd: Add a bootdev command
2022-04-25 10:00:04 -04:00
bootefi.c
cmd/bootefi: correct command syntax
2022-05-28 10:59:27 +02:00
bootflow.c
bootstd: Add a bootflow command
2022-04-25 10:00:04 -04:00
booti.c
global: Convert simple_strtoul() with hex to hextoul()
2021-08-02 13:32:14 -04:00
bootm.c
cmd: bootm: add subcommand preload
2022-03-31 14:12:23 -04:00
bootmenu.c
bootmenu: use utf-8 for menu title
2022-05-31 07:57:02 +02:00
bootmeth.c
bootstd: Add a bootmeth command
2022-04-25 10:00:04 -04:00
bootstage.c
global: Convert simple_strtoul() with hex to hextoul()
2021-08-02 13:32:14 -04:00
bootz.c
global: Convert simple_strtoul() with hex to hextoul()
2021-08-02 13:32:14 -04:00
btrfs.c
command: Remove the cmd_tbl_t typedef
2020-05-18 18:36:55 -04:00
button.c
dm: treewide: Rename 'platdata' variables to just 'plat'
2020-12-13 16:51:08 -07:00
cache.c
command: Remove the cmd_tbl_t typedef
2020-05-18 18:36:55 -04:00
cbfs.c
global: Convert simple_strtoul() with hex to hextoul()
2021-08-02 13:32:14 -04:00
clk.c
cmd: clk: fix long help message
2022-02-25 01:41:04 -05:00
clone.c
global: Convert simple_strtoul() with decimal to dectoul()
2021-08-02 13:32:14 -04:00
cls.c
video: Drop cfg_console
2022-03-28 20:14:24 +02:00
config.c
command: Remove the cmd_tbl_t typedef
2020-05-18 18:36:55 -04:00
conitrace.c
cmd: conitrace: increase wait for next key
2021-01-13 02:38:01 +01:00
console.c
command: Remove the cmd_tbl_t typedef
2020-05-18 18:36:55 -04:00
cpu.c
dm: Avoid accessing seq directly
2020-12-18 20:32:21 -07:00
cramfs.c
doc: replace @return by Return:
2022-01-19 18:11:34 +01:00
cros_ec.c
doc: replace @return by Return:
2022-01-19 18:11:34 +01:00
dataflash_mmc_mux.c
command: Remove the cmd_tbl_t typedef
2020-05-18 18:36:55 -04:00
date.c
Convert CONFIG_SYS_I2C_LEGACY to Kconfig and add CONFIG_[ST]PL_SYS_I2C_LEGACY
2021-08-30 14:10:07 -04:00
demo.c
global: Convert simple_strtoul() with decimal to dectoul()
2021-08-02 13:32:14 -04:00
dfu.c
cmd/dfu: Enable 'dfu list' command without DFU_OVER_USB
2022-02-11 11:29:23 -05:00
diag.c
command: Remove the cmd_tbl_t typedef
2020-05-18 18:36:55 -04:00
disk.c
global: Convert simple_strtoul() with hex to hextoul()
2021-08-02 13:32:14 -04:00
dm.c
cmd: dm: Fixed/Added DM driver listing subcommands
2020-07-07 15:37:13 -04:00
echo.c
cmd: change suppress newline in echo command
2021-01-25 01:15:33 +01:00
eeprom.c
cmd: eeprom: Do not rewrite EEPROM I2C bus with DM I2C enabled
2022-03-23 07:27:37 +01:00
efi.c
efi: Support the efi command in the app
2022-01-15 10:57:22 +01:00
efidebug.c
cmd: efidebug: Disable 'capsule disk-update' when CONFIG_EFI_CAPSULE_ON_DISK=n
2022-04-09 21:06:31 +02:00
elf.c
bootm: Tidy up use of autostart env var
2021-11-16 14:35:09 -05:00
erofs.c
fs/erofs: add filesystem commands
2022-03-15 16:19:29 -04:00
ethsw.c
command: Remove the cmd_tbl_t typedef
2020-05-18 18:36:55 -04:00
event.c
event: Add a command
2022-03-10 08:28:36 -05:00
exit.c
global: Convert simple_strtoul() with decimal to dectoul()
2021-08-02 13:32:14 -04:00
ext2.c
command: Remove the cmd_tbl_t typedef
2020-05-18 18:36:55 -04:00
ext4.c
command: Remove the cmd_tbl_t typedef
2020-05-18 18:36:55 -04:00
extension_board.c
cmd: add support for a new "extension" command
2021-05-13 13:09:05 -04:00
fastboot.c
global: Convert simple_strtoul() with hex to hextoul()
2021-08-02 13:32:14 -04:00
fat.c
cmd: fat: Use do_save() for fatwrite
2020-10-23 13:33:07 -04:00
fdt.c
cmd: fix long text for fdt command
2022-05-05 15:06:02 -04:00
flash.c
mtd: cfi: introduce CFI_FLASH_BANKS
2022-01-21 14:01:35 -05:00
fpga.c
global: Convert simple_strtoul() with hex to hextoul()
2021-08-02 13:32:14 -04:00
fpgad.c
global: Convert simple_strtoul() with hex to hextoul()
2021-08-02 13:32:14 -04:00
fs_uuid.c
command: Remove the cmd_tbl_t typedef
2020-05-18 18:36:55 -04:00
fs.c
cmd: fs: Add command to list supported fs types
2020-07-07 15:36:59 -04:00
fuse.c
cmd: fuse: Add a command to read fuses to memory
2022-02-18 18:12:23 +01:00
gettime.c
command: Remove the cmd_tbl_t typedef
2020-05-18 18:36:55 -04:00
gpio.c
cmd: gpio: Add gpio read subcommand
2022-04-20 11:14:39 -04:00
gpt.c
cmd: gpt: add subcommand repair
2022-05-06 14:39:15 -04:00
hash.c
command: Remove the cmd_tbl_t typedef
2020-05-18 18:36:55 -04:00
help.c
command: Remove the cmd_tbl_t typedef
2020-05-18 18:36:55 -04:00
host.c
sandbox: Drop CONFIG_HOST_MAX_DEVICES
2021-12-05 09:23:15 -07:00
i2c.c
i2c: fix stack buffer overflow vulnerability in i2c md command
2022-06-28 15:51:56 -04:00
ide.c
command: Remove the cmd_tbl_t typedef
2020-05-18 18:36:55 -04:00
ini.c
global: Convert simple_strtoul() with hex to hextoul()
2021-08-02 13:32:14 -04:00
io.c
global: Convert simple_strtoul() with hex to hextoul()
2021-08-02 13:32:14 -04:00
iotrace.c
global: Convert simple_strtoul() with hex to hextoul()
2021-08-02 13:32:14 -04:00
irq.c
command: Remove the cmd_tbl_t typedef
2020-05-18 18:36:55 -04:00
itest.c
global: Convert simple_strtoul() with hex to hextoul()
2021-08-02 13:32:14 -04:00
jffs2.c
doc: replace @return by Return:
2022-01-19 18:11:34 +01:00
kaslrseed.c
cmd: kaslrseed: add command to generate value from hwrng
2021-12-24 10:54:56 +08:00
Kconfig
bootmenu: U-Boot console is enabled as default
2022-05-28 10:59:27 +02:00
led.c
global: Convert simple_strtoul() with decimal to dectoul()
2021-08-02 13:32:14 -04:00
legacy_led.c
global: Convert simple_strtoul() with decimal to dectoul()
2021-08-02 13:32:14 -04:00
legacy-mtd-utils.c
cmd: nand/sf: isolate legacy code
2019-12-04 17:10:51 -05:00
legacy-mtd-utils.h
cmd: nand/sf: isolate legacy code
2019-12-04 17:10:51 -05:00
license.c
command: Remove the cmd_tbl_t typedef
2020-05-18 18:36:55 -04:00
load.c
loads: Block writes into LMB reserved areas of U-Boot
2021-10-25 14:29:37 -04:00
log.c
global: Convert simple_strtoul() with decimal to dectoul()
2021-08-02 13:32:14 -04:00
lsblk.c
dm: treewide: Rename 'platdata' variables to just 'plat'
2020-12-13 16:51:08 -07:00
lzmadec.c
global: Convert simple_strtoul() with hex to hextoul()
2021-08-02 13:32:14 -04:00
mac.c
command: Remove the cmd_tbl_t typedef
2020-05-18 18:36:55 -04:00
Makefile
bootstd: Add a bootmeth command
2022-04-25 10:00:04 -04:00
mbr.c
mbr: Correct verification check
2021-11-28 16:51:51 -07:00
md5sum.c
global: Convert simple_strtoul() with hex to hextoul()
2021-08-02 13:32:14 -04:00
mdio.c
global: Convert simple_strtoul() with hex to hextoul()
2021-08-02 13:32:14 -04:00
mem.c
global: Convert simple_strtoul() with decimal to dectoul()
2021-08-02 13:32:14 -04:00
mfsl.c
global: Convert simple_strtoul() with hex to hextoul()
2021-08-02 13:32:14 -04:00
mii.c
global: Convert simple_strtoul() with hex to hextoul()
2021-08-02 13:32:14 -04:00
misc.c
global: Convert simple_strtoul() with hex to hextoul()
2021-08-02 13:32:14 -04:00
mmc.c
cmd: mmc: don't assign unused values
2022-05-05 15:06:02 -04:00
mp.c
global: Convert simple_strtoul() with decimal to dectoul()
2021-08-02 13:32:14 -04:00
mtd.c
global: Convert simple_strtoul() with hex to hextoul()
2021-08-02 13:32:14 -04:00
mtdparts.c
doc: replace @return by Return:
2022-01-19 18:11:34 +01:00
mux.c
cmd: Add a mux command
2020-10-28 11:49:31 -04:00
nand.c
cmd: nand biterr - Add support for nand biterr command
2021-10-26 15:26:45 -04:00
net.c
net: Drop #ifdefs with CONFIG_BOOTP_SERVERIP
2022-01-21 14:01:35 -05:00
nvedit_efi.c
cmd: correct return value for printenv -e
2022-06-19 15:53:09 +02:00
nvedit.c
cmd: env: Add indirect to indirectly set values
2022-04-07 16:50:42 -04:00
nvme.c
command: Remove the cmd_tbl_t typedef
2020-05-18 18:36:55 -04:00
onenand.c
cmd: onenand: fix printf codes
2022-05-05 15:06:02 -04:00
optee_rpmb.c
global: Convert simple_strtoul() with decimal to dectoul()
2021-08-02 13:32:14 -04:00
osd.c
global: Convert simple_strtoul() with decimal to dectoul()
2021-08-02 13:32:14 -04:00
panic.c
cmd: add a panic command
2020-07-08 17:21:46 -04:00
part.c
cmd: part: list all 128 GPT partitions
2022-01-15 10:57:22 +01:00
pcap.c
global: Convert simple_strtoul() with decimal to dectoul()
2021-08-02 13:32:14 -04:00
pci.c
pci: Extend 'pci' command with bus option '*'
2022-01-28 17:58:41 -05:00
pinmux.c
doc: replace @return by Return:
2022-01-19 18:11:34 +01:00
pmc.c
command: Remove the cmd_tbl_t typedef
2020-05-18 18:36:55 -04:00
pmic.c
dm: Avoid accessing seq directly
2020-12-18 20:32:21 -07:00
printf.c
cmd: setexpr: add format string handling
2021-07-27 14:50:47 -04:00
printf.h
cmd: setexpr: add format string handling
2021-07-27 14:50:47 -04:00
pstore.c
pstore: Support already existing reserved-memory node
2022-02-14 13:03:49 -05:00
pvblock.c
WS cleanup: remove trailing empty lines
2021-09-30 08:08:56 -04:00
pwm.c
cmd: pwm: fix typo 'eisable' -> 'disable'
2022-03-04 15:20:06 -05:00
pxe.c
pxe: Allow calling the pxe_get logic directly
2021-11-11 19:02:43 -05:00
qfw.c
qfw: Switch to CONFIG_SYS_LOAD_ADDR from CONFIG_LOADADDR
2021-08-31 17:46:37 -04:00
read.c
global: Convert simple_strtoul() with hex to hextoul()
2021-08-02 13:32:14 -04:00
reginfo.c
command: Remove the cmd_tbl_t typedef
2020-05-18 18:36:55 -04:00
regulator.c
dm: treewide: Rename ..._platdata variables to just ..._plat
2020-12-13 16:51:09 -07:00
reiser.c
global: Convert simple_strtoul() with hex to hextoul()
2021-08-02 13:32:14 -04:00
remoteproc.c
global: Convert simple_strtoul() with decimal to dectoul()
2021-08-02 13:32:14 -04:00
rng.c
global: Convert simple_strtoul() with hex to hextoul()
2021-08-02 13:32:14 -04:00
rockusb.c
command: Remove the cmd_tbl_t typedef
2020-05-18 18:36:55 -04:00
rtc.c
global: Convert simple_strtoul() with decimal to dectoul()
2021-08-02 13:32:14 -04:00
sata.c
global: Convert simple_strtoul() with decimal to dectoul()
2021-08-02 13:32:14 -04:00
sb.c
common: Drop asm/global_data.h from common header
2021-02-02 15:33:42 -05:00
scp03.c
WS cleanup: remove trailing empty lines
2021-09-30 08:08:56 -04:00
scsi.c
command: Remove the cmd_tbl_t typedef
2020-05-18 18:36:55 -04:00
setexpr.c
doc: replace @return by Return:
2022-01-19 18:11:34 +01:00
sf.c
spi: spi_flash_probe_bus_cs() rely on DT for spi speed and mode
2022-05-23 09:33:10 -04:00
sha1sum.c
command: Remove the cmd_tbl_t typedef
2020-05-18 18:36:55 -04:00
sleep.c
global: Convert simple_strtoul() with decimal to dectoul()
2021-08-02 13:32:14 -04:00
smccc.c
WS cleanup: remove trailing empty lines
2021-09-30 08:08:56 -04:00
sound.c
global: Convert simple_strtoul() with decimal to dectoul()
2021-08-02 13:32:14 -04:00
source.c
global: Convert simple_strtoul() with hex to hextoul()
2021-08-02 13:32:14 -04:00
spi.c
spi: spi-uclass: Add new spi_get_bus_and_cs() implementation
2022-05-23 09:33:10 -04:00
spl.c
arm: use CONFIG_SUPPORT_PASSING_ATAGS
2021-09-24 14:30:46 -04:00
sqfs.c
fs/squashfs: add filesystem commands
2020-08-07 22:31:32 -04:00
stackprot_test.c
cmd: wrong printf() code in do_test_stackprot_fail()
2022-02-11 10:52:37 -05:00
strings.c
global: Convert simple_strtoul() with hex to hextoul()
2021-08-02 13:32:14 -04:00
sysboot.c
pxe: Refactor sysboot to have one helper
2021-11-11 19:02:39 -05:00
terminal.c
terminal: only serial_reinit_all if available
2021-04-12 17:44:55 -04:00
test.c
common: Drop log.h from common header
2020-05-18 21:19:18 -04:00
thordown.c
thor: add support for the dfu_alt_info reintialization from the flashed script
2021-01-31 14:08:56 +01:00
time.c
command: Remove the cmd_tbl_t typedef
2020-05-18 18:36:55 -04:00
timer.c
cmd: Split out timer command from the sleep command
2020-10-23 13:33:07 -04:00
tlv_eeprom.c
cmd: tlv_eeprom
2021-10-21 07:39:05 +02:00
tpm_test.c
tpm: Switch TPMv1 over to use the new API
2021-03-02 15:53:37 -05:00
tpm-common.c
doc: replace @return by Return:
2022-01-19 18:11:34 +01:00
tpm-user-utils.h
command: Remove the cmd_tbl_t typedef
2020-05-18 18:36:55 -04:00
tpm-v1.c
cmd: tpm-v1: fix load_key_by_sha1 compile errors
2021-11-17 13:47:27 +02:00
tpm-v2.c
tpm: use more algorithms than sha256 on pcr_read
2021-11-30 09:23:49 +01:00
trace.c
global: Convert simple_strtoul() with hex to hextoul()
2021-08-02 13:32:14 -04:00
tsi148.c
global: Convert simple_strtoul() with hex to hextoul()
2021-08-02 13:32:14 -04:00
ubi.c
cmd: ubi.c: skip part command if right partition is already attached
2022-04-14 15:39:15 -04:00
ubifs.c
global: Convert simple_strtoul() with hex to hextoul()
2021-08-02 13:32:14 -04:00
ufs.c
global: Convert simple_strtoul() with decimal to dectoul()
2021-08-02 13:32:14 -04:00
universe.c
global: Convert simple_strtoul() with hex to hextoul()
2021-08-02 13:32:14 -04:00
unlz4.c
lz4: Use a private header for U-Boot
2021-10-09 13:09:56 -04:00
unzip.c
sandbox: Enable support for the gzip command
2021-12-26 23:02:19 +01:00
usb_gadget_sdp.c
command: Remove the cmd_tbl_t typedef
2020-05-18 18:36:55 -04:00
usb_mass_storage.c
cmd: usb_mass_storage: Use part_get_info_by_dev_and_name_or_num
2021-10-30 22:55:00 +02:00
usb.c
global: Convert simple_strtoul() with decimal to dectoul()
2021-08-02 13:32:14 -04:00
version.c
Remove including timestamp.h in version.h
2021-09-17 12:10:44 -04:00
virtio.c
virtio: call device_probe() in scanning
2022-04-09 21:06:31 +02:00
w1.c
global: Convert simple_strtoul() with decimal to dectoul()
2021-08-02 13:32:14 -04:00
wdt.c
command: Remove the cmd_tbl_t typedef
2020-05-18 18:36:55 -04:00
wol.c
command: Remove the cmd_tbl_t typedef
2020-05-18 18:36:55 -04:00
ximg.c
global: Convert simple_strtoul() with hex to hextoul()
2021-08-02 13:32:14 -04:00
yaffs2.c
global: Convert simple_strtoul() with hex to hextoul()
2021-08-02 13:32:14 -04:00
zfs.c
global: Convert simple_strtoul() with hex to hextoul()
2021-08-02 13:32:14 -04:00
zip.c
global: Convert simple_strtoul() with hex to hextoul()
2021-08-02 13:32:14 -04:00